 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Java Forum / Security / March 2005Dual common name in a certificate
Hi, I am wondering if a certificate can have more than 1 common name? If it can, when we install such certificate on say a web server, is the webserver domain name only supposed to match one of the common names? Thanks Victor A single certificate can be installed in a keystore as many times as you want under as many aliases as you want. However, the webserver generally only uses one of them (in Tomcat for example, it's the tomcat one). If you are using a web server for virtual hosting, and have multiple domain names running from a single server, you need to be aware of the fact that the authentication and decryption happens _before_ the identification of the virtual host, so as far as I know there is no way for a single server on a single ip address to have multiple certificates. (If I'm wrong about this I'd really like to know, because I'd like to do it.) Bill > Hi, > [quoted text clipped - 3 lines] > Thanks > Victor > Hi, > > I am wondering if a certificate can have more than 1 common name? Yes > If it > can, when we install such certificate on say a web server, is the > webserver domain name only supposed to match one of the common names? I'm not sure what you mean by match. Also, the client gets to decide how it wants to interpret the various names in the certificate. It would not surprise me to find clients that simply use the first CN and ignore the rest. As another wrinkle, the relevant RFC on the issue, RFC 2818, says that you should be using subjectAltName extension of type dNSName instead of CN. Please RFC 2818 section 3.1 (http://www.rfc-editor.org/rfc/rfc2818.txt). Some people are confused by the matching requirement. The basic rule is: whatever address the user tells the browser to use to get to the site, that address need to be in the CN or subjectAltName field. Here are a few examples of the implications of this. Suppose your certificate says www.widget.com in the CN of the certificate: If the user asks the browser to go to https://www.widget.com/whatever.. the browser will accept the name in CN If it just so happens that www.widget.com is at 192.168.133.71 and the user doesn't believe in DNS and instead enters https://192.168.133.71/whatever... the browser should issue the standard warning about a mismatched name. If the user is really clever and lazy and goes to that site all the time then maybe they'll make an entry in their local /etc/hosts file so that xyz maps to 192.168.133.71. When they tell the browser to go to https://xyz/whatever... the browser will go to the right address but it will then give the mismatched name warning when it gets the cert. However, if that cert also had CNs of 192.168.133.71 and xyz then all these connections would proceed without warning. Hello, I see what is happening, but you have mentioned that if we include all possible domain names in the certificate then, we can avoid this warning message. But, my question is, How to add multiple domain names to a single certificate? Can you please verify on this? Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.